filter {
  if [fileset][module] == "auditd" {
    grok {
      match => {
        "message" => [
          "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:[auditd][log][kv]} old auid=%{NUMBER:[auditd][log][old_auid]} new auid=%{NUMBER:[auditd][log][new_auid]} old ses=%{NUMBER:[auditd][log][old_ses]} new ses=%{NUMBER:[auditd][log][new_ses]}",
          "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:[auditd][log][kv]} msg=['\"](%{DATA:[auditd][log][msg]}\s+)?%{AUDIT_KEY_VALUES:[auditd][log][sub_kv]}['\"]",
          "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:[auditd][log][kv]}",
          "%{AUDIT_PREFIX}",
          "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:[auditd][log][kv]}"
        ]
      }
      pattern_definitions => {
        "AUDIT_TYPE" => "^type=%{NOTSPACE:[auditd][log][record_type]}"
        "AUDIT_PREFIX" => "%{AUDIT_TYPE} msg=audit\(%{NUMBER:[auditd][log][epoch]}:%{NUMBER:[auditd][log][sequence]}\):(%{DATA})?"
        "AUDIT_KEY_VALUES" => "%{WORD}=%{GREEDYDATA}"
      }
      remove_field => "message"
    }

    date {
      match => [
        "[auditd][log][epoch]",
        "UNIX"
      ]
      target => "@timestamp"
    }

    mutate {
      convert => {
        "[auditd][log][sequence]" => "integer"
      }
    }

    geoip {
      source => "[auditd][log][addr]"
      target => "[auditd][log][geoip]"
    }
  }
}
